Security Certificates Procedures
This section provides additional procedures related to the security certificates configuration in SMC.
Clear the Default Certificates
- In the SMC tree, select Certificate.
- The Certificates tab with the Default Certificates expander displays the previously set default certificates (root, host and/or self-signed).
- Click Edit .
- Click Reset to clear the default certificate for a certificate type.
- The default value is now cleared. You can now set a new default certificate while importing.
Create a Root Certificate (.pem)
When you create a root certificate for the first time, all the fields appear blank. For all subsequent root certificate creation (.pfx or .pem based), some fields, such as Path, Organization, and so on, are pre-populated with the information from the last-created root certificate.
- In the SMC tree, select Certificate.
- Click Create Certificate and select Create Root Certificate (.pem) .
- In the Root Certificate Information expander that displays, enter values into the following fields:
- Certificate file name: The certificate file name and the key file name cannot be same and must not contain blanks or special characters (/,\,?,<, >,*,|,").
- Key file name
- Key file password and confirm it.
- Path: Browse for the location to store the root certificate and the root key file on the disk. By default, the path of the last created root certificate is selected.
- Expiration: Set the expiration (validity period) duration in days. By default, the certificate expires after 3650 days.
- Enter the following information about the subject:
— Subject name
— Department
— Organization
— City / district
— State / province
— Country code (exactly two characters).
- Click Save .
- The data is validated, and the new root certificate (.pem file) and the root key file are created at the specified location on the disk.
To create a host certificate (.pem file), you must have a root certificate (.pem file) and root key (.pem) file along with its password.
You can create multiple host certificates using one root certificate (.pem file).
You can browse and use this (.pem) root certificate for securing Client/Server communication, when you modify the project properties.
Create a Host Certificate (.pem)
- You have the root certificate (.pem file), and root key file (.pem file) available on the disk, and the root key file password is known to you.
- In the SMC tree, select Certificate.
- Click Create Certificate and select Create Host Certificate (.pem) .
- In the Host Certificate Information expander that displays, enter the host certificate details in the following fields:
- Certificate file name: The certificate file name and the key file name cannot be same and must not contain blanks or special characters (/,\,?,<, >,*,|,").
- Key file name
- Key file password and confirm it.
- Path: Browse for the location to store the root certificate and the root key file on the disk. By default, the path of the last created root certificate is selected.
- Expiration: Set the expiration (validity period) duration in days. By default, the certificate expires after 2190 days.
- Root Certificate: Click Browse to select the root certificate from the disk. By default, the path of the last created root certificate (.pem) is selected.
- Root key file: Click Browse to select the root key file from the disk. By default, the path of the last created root key file (.pem) is selected.
Root key file password: Enter the root key file password. The root key file password must match the root key file password of the selected root certificate.
- Enter the following information about the subject:
— Subject name : By default, the Subject name field displays the full computer name of the machine (including the domain name, if the machine is in a domain), for example, ABCXY022PC.dom01.company.net. You can modify this to set the desired name. Remember that the host certificate's Subject name should not be same as the root certificate's Subject name. By default, the subject's identifier information (except for the Subject name) is filled with the last root certificate's subject's information.
— Department
— Organization
— City / district
— State / province
— Country code (only two characters)
- Click Save .
- A message displays if the Subject name of the host certificate is the same as that of its root certificate.
- Click OK.
- Click Save to create the file (.pem) based host certificate.
- The data is validated, and the new host certificate (.pem file) and its key file (.pem file) are created at the specified location.
You can use this host certificate (.pem file) for securing Client/Server communication, when you modify the project properties.
Add Entries in the V3.txt File for Creating Multihost Certificate
You want to add the host machine entries (DNS name and/or the IP Address) in the v3.txt file. This is required when you want create the multihost certificate using SMC and use this certificate for securing the client/server communication or remote Web Server communication.
- A v3.txt file is located at the path
[installation drive:]\[installation folder]\GMSMainProject\Config.
- You want to create a multi host certificate using SMC.
- Open this file in the text editor such as Notepad.
- Add the host machine entries in the key value pair DNS name and/or the IP Address. This key value pair is be used by SMC during host certificate creation.
For example, DNS.2 = ABCXY022 and IP.2 = 134.34.23.2
Note that for the default value for both DNS.1 = localhost and for IP.1 = 127.0.0.1.
- Save and close the file. Now when you create a Windows store based host certificate using SMC, the multihost certificate having Subject Alternative Name is created.
Import the Certificates in the Windows Store using MMC
- Open the Microsoft Management Console (MMC) from the Windows Start menu or command prompt.
NOTE: Only users with administrator privileges can use the MMC. If the UAC (User Account Control) is enabled, it may happen that you are prompted for administrator password or confirmation.
- The MMC opens.
- On the File menu of MMC console, click Add or Remove Snap-in.
- The Add or Remove Snap-ins dialog box displays.
- Do the following to add the Certificates in the Add or Remove Snap-ins dialog box:
- From the list of Available snap-ins, select Certificates and click Add.
- In the Certificates snap-in dialog box that displays, select the option Computer account and click Next, and then Finish.
- In the Add or Remove Snap-in dialog box, click OK.
- The Certificate snap-in is added in the MMC.
- Next, in MMC, you need to import a .pfx certificate (root/self-signed). For this, in the MMC Console tree, select Certificates > Trusted Root Certification Authorities for importing the root and self-signed certificate.
- Under Object Type, select Certificates, and right-click, and from the menu that displays select All Tasks > Import to open the Certificate Import Wizard dialog box.
- In the Certificate Import Wizard dialog box, browse the certificate file to be imported. Click Next.
NOTE: When browsing the pfx file in the Open dialog box, make sure you have selected All Files (*.*) as file type.
- Select the Mark key as exportable check box for self-signed certificate pfx file import. This allows you to back up or transport your keys at a later time.
- Click Next and then Finish.
- The selected certificate (root or self-signed) is imported successfully to the selected store.